Kaspersky Lab experts have detected Triada, a new Trojan targeting Android devices that can be compared to Windows-based malware in terms of its complexity. It is stealthy, modular, persistent and written by very professional cybercriminals. Devices running the 4.4.4. and earlier versions of the Android OS are at greatest risk.

According to the recent Kaspersky Lab research on Mobile Virusology, nearly half of the top 20 Trojans in 2015 were malicious programs with the ability to gain super-user access rights.

Super-user privileges give cybercriminals the rights to install applications on the phone without the user’s knowledge.

This type of malware propagates through applications that users download/install from untrusted sources. These apps can sometimes be found in the official Google Play app store, masquerading as a game or entertainment application.

They can also be installed during an update of existing popular applications and, and are occasionally pre-installed on the mobile device. Those at greatest risk include devices running 4.4.4. and earlier versions of the Android OS.

There are 11 known mobile Trojan families that use root privileges. Three of them – Ztorg, Gorpo and Leech – act in cooperation with each other. Devices infected with these Trojans usually organize themselves into a network, creating a sort of advertising botnet that threat actors can use to install different kinds of adware.

But that’s not all…

Shortly after rooting on the device, the above-mentioned Trojans download and install a backdoor. This then downloads and activates two modules that have the ability to download, install and launch applications.

The application loader and its installation modules refer to different types of Trojans, but all of them have been added to our antivirus databases under a common name – Triada.

Getting into the parental Android process

A distinguishing feature of this malware is the use of Zygote – the parent of the application process on an Android device – that contains system libraries and frameworks used by every application installed on the device.

In other words, it’s a demon whose purpose is to launch Android applications. This is a standard app process that works for every newly installed application.

It means that as soon as the Trojan gets into the system, it becomes part of the app process and will be pre-installed into any application launching on the device and can even change the logic of the application’s operations.

This is the first time technology like this has been seen in the wild. Prior to this a Trojan using Zygote was only known of as a proof-of-concept.

The stealth capabilities of this malware are very advanced. After getting into the user’s device Triada implements in nearly every working process and continues to exist in the short-term memory.

This makes it almost impossible to detect and delete using antimalware solutions. Triada operates silently, meaning that all malicious activities are hidden both from the user and from other applications.
The complexity of the Triada Trojan’s functionality proves the fact that very professional cybercriminals, with a deep understanding of the targeted mobile platform, are behind this malware.

Triada’s business model

The Triada Trojan can modify outgoing SMS messages sent by other applications. This is now a major functionality of the malware.

When a user is making in-app purchases via SMS for Android games, fraudsters are likely to modify the outgoing SMS so that they receive the money instead of the game developers.

“The Triada of Ztrog, Gorpo and Leech marks a new stage in the evolution of Android-based threats. They are the first widespread malware with the potential to escalate their privileges on most devices. The majority of users attacked by the Trojans were located in Russia, India and Ukraine as well as APAC countries,” said Nikita Buchka, Junior Malware Analyst at Kaspersky Lab.

“It is hard to underestimate the threat of a malicious application gaining root access to a device. Their main threat, as the example of Triada shows, is in the fact that they provide access to the device for much more advanced and dangerous malicious applications. They also have a well-thought-out architecture developed by cybercriminals who have deep knowledge of the target mobile platform,” he added.

The Philippines is among the countries attacked by the Triada malware. The percent of users attacked in the country is not as many as the incidents recorded in Russia, India and China.
However, the global cybersecurity company said makers of Triada are still actively lurking and waiting for more prey.

“Kaspersky Lab has recorded a few incidents of Triada infection in the country last year. This clearly shows Filipino Android users are not safe. With nine out of 10 Filipino mobile users using Android-powered devices, Philippines is definitely at risk of more Android malware infections,” said Anthony Chua, Territory Channel Manager for the Philippines and Singapore at Kaspersky Lab Southeast Asia.

“The Triada malware is a stealthy and continuously evolving malware with the sole target of infecting more and more Android devices. Because it is modular, it can expand and upgrade and we cannot tell exactly who their next targets would be,” Chua added.

As it is nearly impossible to uninstall this malware from a device, users face two options to get rid of it. This first is to “root” their device and delete the malicious applications manually. The second option is to jailbreak the Android system on the device.

Rooting means gaining a root access or sudo command to be able to run or delete phone applications. Jailbreaking, on the other hand, is the process of freeing your device from its locked-down status in order to run unauthorized software.

One of the main problems with Triada is that it can potentially hurt a LOT of people. Kaspersky Lab researchers estimate that in every 10 Android users 1 was attacked by either one or several of those Trojans during the second half of 2015, so there are millions of devices with a huge possibility of being infected with Triada.

So, what can you do to protect yourself from this stealthy beast?

1. Never forget to update your system. It turns out that those smaller Trojans face serious problems trying to get root access on Android 4.4.4 and above, because a lot of vulnerabilities were patched in these versions.

If you have Android 4.4.4 or some more recent version of this OS on your device, your chances of getting infected with Triada are significantly lower. Yet Kaspersky Lab statistics says that about 60% of Android users are still sitting with Android 4.4.2 and below.

2. Install an anti-virus solution on your Android device. Kaspersky Internet Security for Android detects all three of Triada’s modules. It can save your money from cybercriminals that are behind Triada. Just don’t forget that the scan does not run automatically in the free version.

But all in all, Triada is yet another example of a really bad trend: malware developers are taking Android seriously, and the latest samples are almost as complex and hard to withstand, as their Windows-based kin. The only good way to fight all these threats is to be proactive, and so a good security solution is a must.